Boka revatsvagiri kubva kuETH Zurich raona kurwiswa kutsva kwemaitiro ekufungidzira ekuita shanduko isina kunanga muCPU, izvo zvinoita kuti zvikwanise kutora ruzivo kubva mukernel memory kana kuronga kurwiswa kweiyo host system kubva kumashini chaiwo. Kusadzivirirwa kwacho kwakanyorwa codenamed Retbleed (CVE-2022-29900, CVE-2022-29901) uye iri padyo neSpecter-v2 kurwiswa. Musiyano unouya kusangano rekufungidzira kuuraya kodhi yekupokana paunenge uchigadzira iyo "ret" (kudzoka) rairo, iyo inotora kero kuti isvetuke kubva pachitunha, pachinzvimbo chekusvetuka zvisina kunanga uchishandisa "jmp" rairo, kurodha kero kubva. ndangariro kana CPU rejista.
Anorwisa anogona kugadzira mamiriro ekufungidzira asiri iwo ekuchinja uye kuronga yakanangwa, yekufungidzira shanduko kuenda kubhuroko rekodhi isina kupihwa nehurongwa hwekuita. Pakupedzisira, processor inozoona kuti kufanotaura kwebazi hakuna kurongeka uye kudzoreredza mashandiro acho kumamiriro ayo epakutanga, asi iyo data yakagadziriswa panguva yekufungidzira inozopedzisira yave mu cache uye microarchitectural buffers. Kana chivharo chakatemerwa zvisizvo chikawana ndangariro, saka kuita kwayo kwekufungidzira kunotungamira kune data kuverengwa kubva mundangariro ichiiswa mune yakagovaniswa cache.
Kuti uone data rakasara mu cache mushure mekuita zvekufungidzira, anorwisa anogona kushandisa nzira dzepadivi-chiteshi kuona data yasara, sekuongorora shanduko munguva dzekuwana kune data rakachengetwa uye risina kuvharwa. Kutora nemaune ruzivo kubva munzvimbo dziri kune imwe ropafadzo nhanho (semuenzaniso, kubva ku kernel memory), "magajeti" anoshandiswa - kutevedzana kwemirairo iripo mu kernel iyo yakakodzera yekufungidzira kuverenga data kubva mundangariro zvichienderana nemamiriro ekunze anogona kupesvedzerwa ne. murwisi.
Kudzivirira kubva kuClass Specter kirasi kurwiswa kunoshandisa zvimiso uye zvisina kunanga kusvetuka mirairo, mazhinji masisitimu anoshanda anoshandisa nzira ye "retpoline", iyo yakavakirwa pakutsiva zvisina kunanga kusvetuka mashandiro ne "ret" rairo, iyo processors vanoshandisa yakaparadzana stack mamiriro ekufanotaura unit. kusashandisa bazu kufanotaura block. Pakaunzwa retpoline muna 2018, zvaitendwa kuti Specter-senge kero manipulations aisashanda pakufungidzira bazi uchishandisa iyo "ret" rairo.
Vatsvakurudzi vakagadzira nzira yekurwisa yeRetbleed vakaratidza mukana wekugadzira microarchitectural mamiriro ekutanga shanduko yekufungidzira vachishandisa "ret" rairo uye yakadhindwa-yakagadzirwa maturusi ekuona kutevedzana kwemirairo (magajeti) akakodzera kushandisa kusazvibata muLinux kernel, umo mamiriro ezvinhu akadaro anozviratidzira amene.
Munguva yekutsvaga, kushandiswa kwekushanda kwakagadzirirwa kunobvumira, pamasisitimu ane Intel CPUs, kuburitsa data risingawirirani kubva kukernel ndangariro kubva kune yakasarudzika maitiro munzvimbo yemushandisi nekumhanya kwe219 bytes pasekondi uye 98% kunyatsoita. Pa AMD processors, kugona kwekushandisa kwakakwira zvakanyanya-yero yekuvuza ndeye 3.9 KB pasekondi. Semuenzaniso unoshanda, tinoratidza mashandisiro ekushandisa kwakarongwa kuona zviri mukati me /etc/shadow file. Pane masisitimu ane Intel CPUs, kurwiswa kwekuona mudzi mushandisi password hashi kwakaitwa mumaminetsi makumi maviri nemasere, uye pane masisitimu ane AMD CPU - mumaminetsi matanhatu.
Kurwiswa uku kwakasimbiswa kwezvizvarwa 6-8 zveIntel processors dzakaburitswa Q3 2019 isati yasvika (kusanganisira Skylake), uye AMD processors yakavakirwa paZen 1, Zen 1+, uye Zen 2 microarchitectures dzakaburitswa Q2021 3 isati yasvika. Mune mitsva processor modhi senge AMD ZenXNUMX uye Intel Alder Lake, pamwe neiyo ARM processors, dambudziko rakavharwa nemaitiro ekudzivirira aripo. Semuenzaniso, kushandisa IBRS (Indirect Branch Restricted Speculation) mirayiridzo inobatsira kudzivirira kubva pakurwiswa.
Seti yekuchinja yakagadzirirwa iyo Linux kernel uye Xen hypervisor, iyo inovhara dambudziko musoftware pamaCPU akura. Chigamba chakarongwa cheLinux kernel chinoshandura mafaera makumi matanhatu nemasere, chinowedzera mitsara ye68, uye inobvisa mitsara makumi matatu nemasere. Nehurombo, dziviriro inotungamira kune yakakosha mari yepamusoro - mumagwaro anoitwa pa AMD neIntel processors, kuderera kwekuita kunofungidzirwa kubva pa1783% kusvika 387%. Zviri nani kushandisa dziviriro yakavakirwa pamirairo yeIBRS, inowanikwa muzvizvarwa zvitsva zveIntel CPU uye inotsigirwa kutanga neLinux kernel 14.
PaIntel processors, kutsiva kwekero yekufungidzira isina kunanga kusvetuka kunoitwa nekuda kwechinhu chinoonekwa kana mafashama akaitika kuburikidza nechepazasi akasungwa (pasi) muReturn Stack Buffer. Kana mamiriro akadai aitika, rairo ye "ret" inotanga kushandisa kero yekusarudza logic yakafanana neiyo inoshandiswa kune yakajairwa kusvetuka kusina kunanga. Nzvimbo dzinopfuura chiuru dzakawanikwa muLinux kernel dzinogadzira mamiriro ekutanga kuyerera kwakadaro uye anowanikwa kuburikidza nenharembozha.
Pa AMD processors, kufungidzira kwekuita kwe "ret" rairo kunoitwa pasina kutaurwa kune stack-chaiyo buffer (Return Kero Stack) uye bazi rekufanotaura unit rinoona iyo "ret" rairo kwete sekudzoka kwekudzora, asi sebazi risiri rakananga. , uye, zvinoenderana, inoshandisa iyo data yekufungidzira isina kunanga shanduko. Pasi pemamiriro aya, chero "ret" mashandiro anowanikwa kuburikidza nenharembozha anogona kushandiswa.
Pamusoro pezvo, imwe nyaya yakaonekwawo mu AMD CPUs (CVE-2022-23825, Branch Type Confusion) ine chekuita nekuitwa kwemapazi ekunyepedzera - mamiriro ekufanotaura kwebazi anogona kuitika kunyangwe pasina mirairo yebazi inodiwa, iyo inobvumira kupesvedzera fungidziro yebazi. pasina murairo "ret". Ichi chimiro chinokanganisa zvakanyanya kuitwa kwedziviriro uye chinoda kunyanya kuchenesa kwebazi rekufanotaura buffer. Kuwedzera dziviriro yakazara kune kernel inotarisirwa kuwedzera pamusoro ne209%.
Source: opennet.ru